Cookie Consent is designed to provide website visitors with choice and control over their consent to use cookies and other tracking technologies when visiting websites. The capability is delivered using cookie consent code, and is required as part of compliance with the ePrivacy directive, GDPR, and the forthcoming ePrivacy Regulation.

What is a cookie consent banner?

The cookie consent banner (aka cookie consent bar or cookie popup) appears at the top of a website and notifies visitors, via a cookie consent message, about the use of cookies.

What is a GDPR compliant cookie consent solution?

In order to be compliant with GDPR (aka cookie consent DSGVO), a website should:

• Inform the user how their personal data is being used prior to storing it on the device (by displaying cookie consent text).
• Enable consent to use cookies via an explicit affirmative action.
• Be able to prove that consent has occurred.
• Provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained.
• State the category of each cookie on the website.

Do I need a GDPR compliant cookie consent solution if I only use Google analytics on my website?

Per the Google Analytics support website, “When using Google Analytics Advertising Features, you must also comply with the European Union User Consent Policy.”

If you have enabled Advertising features in Google Analytics, then consent from the EU citizen is a requirement.

The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a European Union (EU) law the deals with data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

How does the GDPR define personal data?

General Data Protection Regulation (GDPR) is designed to protect “natural persons” visiting websites “with regard to the processing of personal data and on the free movement of such data.” The GDPR has significantly broadened the concept of “personal data” for privacy purposes, including technical identifiers, location data, IP address, photos and other information that directly or indirectly can identify a distinct person, regardless of context.

What does the GDPR say about cookies and online tracking?

Per GDPR, the setting of tracking cookies can only occur once the user has provided their consent.

What does the GDPR say about cookies opt in and opt out?

GDPR Article 4(11) is clear about for opt-in consent. Specifically, it states:"any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; …Silence, pre-ticked boxes or inactivity should therefore not constitute consent."

Opt-out is implied in the regulation. If the user does not explicitly opt in, they are opting out.

What is a GDPR compliant cookie policy?

In order to be compliant with GDPR, a website should:

• Inform the user how their personal data is being used prior to storing it on the device.
• Enable consent to use cookies via an explicit affirmative action.
• Be able to prove that consent has occurred
• Provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained.
• State the category and purpose of each cookie on the website.

Regulation on Privacy and Electronic Communications ("ePrivacy Regulation") has been proposed by the European Commission to replace the current ePrivacy Directive. The new ePrivacy Regulation would be effective in all EU Member States upon finalization and will not require separate implementing legislation by each EU member state. It is anticipated that the ePrivacy Regulation may come into effect in 2019.

What is the difference between the ePrivacy Regulation and the GDPR?

ePrivacy Regulation will apply to any entity that processes electronic communications data and any provider of electronic communications services ("ECS"). "Electronic communications data" includes information concerning the end-user processed for the purpose of transmitting, distributing, or enabling the exchange of content, as well as information regarding content transmitted or exchanged. ECS would include email, internet access services, SMS, VoIP, Internet of Things devices and public and semi-private Wi-Fi “hotspots”, among other things.

ePrivacy differs from GDPR in the following ways:

Specifically focused on electronic communications

While the GDPR is the general regulation for personal data stored or used by a company, ePrivacy is a law specifically governing electronic communications. So, when a data privacy issue is raised regarding communications, ePrivacy will be used by regulators for enforcement. The two laws are meant to complement one another.

Includes non-personal data

GDPR is entirely-focused on the protection of personal data. The ePrivacy regulation is more expansive in its definition of data protection as it is focused more broadly on the confidentiality of communications, "which may also contain non-personal data and data related to a legal person," the proposal states.

Derived from different areas of EU law

The GDPR is based on Article 8 of the European Charter of Human Rights which says: "Everyone has the right to respect for his private and family life, his home and his correspondence" - i.e., a data subject has rights and is informed about what processing is being carried out on his or her personal data.

ePrivacy reflects Article 7 of the Charter of Fundamental Rights, which states: "Everyone has the right to respect for his or her private and family life, home and communications." - i.e., the data subject is aware of and can make choices in the context of communications that impact him or her. Also, the user may be either an individual or legal entity (vs. an individual-only with GDPR).

The ePrivacy Directive (aka the EU Cookie Law) was issued in 2002, and concerned the processing of personal data and the protection of privacy in the electronic communications sector.

What is the difference between the ePrivacy regulation and the ePrivacy directive?

Regulation on Privacy and Electronic Communications ("ePrivacy Regulation") has been proposed by the European Commission to replace the current ePrivacy Directive. The new ePrivacy Regulation would be effective in all EU Member States upon finalization and will not require separate implementing legislation by each EU member state, as was the case with the ePrivacy Directive. Put another way, regulations are legally binding across the EU and directives are designed to be incorporated into individual country’s laws, leaving open the possibility for different interpretations of the directive.

It is anticipated that the ePrivacy Regulation may come into effect in 2019.

The "EU Cookie Law" is another name for EU Directive 2009/136/EC. In it, the European Parliament mandated that all countries within the EU need to establish laws requiring websites to obtain informed consent before they can store or retrieve information on a visitor's device.